-
Notifications
You must be signed in to change notification settings - Fork 141
SSH integration
Andrew Buss edited this page Nov 25, 2015
·
1 revision
Integrate with SSH so that a user can log into a server only after some number of key owners have delegated to Red October.
An initial idea was to expose a port on the server which handles the SSH agent protocol, but blocks until the SSH key has been unlocked by a sufficient number of delegations. This would be dangerous without additional authentication, since anyone would be able to connect to the port and use it to authenticate to the target server.
We'd like to avoid sending the key in its entirety to a user. Instead we'd like the Red October server to accept a key challenge on a new endpoint and return a key response. Then a user can delegate their key for only a single SSH session.
Two more pieces are needed:
- a tiny script which listens on a socket and handles the SSH agent protocol; forwarding SSH challenges to the new Red October API endpoint and returning the result
- a small wrapper script around SSH which forks off the script above, sets the SSH_AUTH_SOCK environment variable, and invokes ssh normally with the remaining arguments